Similar presentations

2 Introduction Purpose of Session:Provide Overview Web Application Security Threats and DefenseUsing the Open Web Application Security Project (OWASP) “2007 Top Ten List,” we will:Define the vulnerabilitiesIllustrate the Web Application vulnerabilitiesExplain how to protect against the vulnerabilities

7 If it really is that bad, Why..?If it really is that bad, why aren’t majority of web sites defaced and infected with worms?Difficult to write automated worms against custom software.Good news: What can be automated by attackers, can also be discovered by security scanners.Without automation, attack of web applications is semi-manual process.Technical difficulty eliminates the lowest level script kiddies, but doable by even intermediate attackers.Difficult to estimate the number of Web Applications already compromised especially since attackers are quietly keeping “ownership” rather than defacing.Many major sites are vulnerable. Check out for a list of currently vulnerable and recently remediated sites.

10 A1. Cross-Site Scripting (XSS) Attacks3 Categories of XSS attacks:Stored - the injected code is permanently stored (in a database, message forum, visitor log, etc.)Reflected - attacks that are reflected take some other route to the victim (through an message, or bounced off from some other server)DOM injection – Injected code manipulates sites javascript code or variables, rather than HTML objects.Example Comment embedded with JavaScriptcomment=“Nice site! <SCRIPT> window.open( </SCRIPT>

11 A1. Cross-Site Scripting (XSS)Occurs when an attacker can manipulate a Web application to send malicious scripts to a third party.This is usually done when there is a location that arbitrary content can be entered into (such as an message, or free text field for example) and then referenced by the target of the attack.The attack typically takes the form of an HTML tag (frequently a hyperlink) that contains malicious scripting (often JavaScript).The target of the attack trusts the Web application and thus XSS attacks exploit that trust to do things that would not normally be allowed.The use of Unicode and other methods of encoding the malicious portion of the tag are often used so the request looks less suspicious to the target user or to evade IDS/IPS.Some good video tutorials about how this attack is executed:

12 XSS - Protection Protect your application from XSS attacksFilter output by converting text/data which might have dangerous HTML characters to its encoded format:'<' and '>' to '<' and '>’'(' and ')' to '(' and ')’'#' and '&' to '#' and '&‘Recommend filtering on input as much as possible. (some data may need to allow special characters.)

13 A2. Injections FlawsOWASP Definition: Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing unintended commands or changing data.

14 A2. Injections FlawsSome common types of command injection flaws include:SQL injection (malicious calls to backend databases via SQL), using shell commands to run external programsUsing system calls to in turn make calls to the operating system.Any Web application that relies on the use of an interpreter has the potential to fall victim to this type of flaw

15 A2. Injections Flaws: ProtectionUse language specific libraries to perform the same functions as shell commands and system callsCheck for existing reusable libraries to validate input, and safely perform system functions, or develop your own.Perform design and code reviews on the reusable libraries to ensure security.Other common methods of protection include:Use stored ProceduresData validation (to ensure input isn't malicious code),Run commands with very minimal privilegesIf the application is compromised, the damage will be minimized.

17 A3. Malicious File ExecutionApplications which allow the user to provide a filename, or part of a filename are often vulnerable if input is not carefully validated.Allowing the attacker to manipulate the filename may cause application to execute a system program or external URL.Applications which allow file uploads have additional risksPlace executable code into the applicationReplace a Session file, log file or authentication token

18 A3. Malicious File Execution ProtectionDo not allow user input to be used for any part of a file or path name.Where user input must influence a file name or URL, use a fully enumerated list to positively validate the value.File uploads have to be done VERY carefully.Only allow uploads to a path outside of the webroot so it can not be executedValidate the file name provided so that a directory path is not included.Implement or enable sandbox or chroot controls which limit the applications access to files.

19 A4. Insecure Direct Object ReferenceOWASP Definition:A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.

20 A4. Insecure Direct Object ReferenceApplications often expose internal objects, making them accessible via parameters.When those objects are exposed, the attacker may manipulate unauthorized objects, if proper access controls are not in place.Internal Objects might includeFiles or DirectoriesURLsDatabase key, such as acct_no, group_id etc.Other database object names such as table name

21 A4. Insecure Direct Object Reference ProtectionDo not expose direct objects via parametersUse an indirect mapping which is simple to validate.Consider using a mapped numeric range, file=1 or 2 …Re-verify authorization at every reference.For example:Application provided an initial lists of only the authorized options.When user’s option is “submitted” as a parameter, authorization must be checked again.

22 A5. Cross Site Request Forgery (CSRF)OWASP Definition:A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim’s browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.

23 A5. Cross Site Request Forgery (CSRF)Applications are vulnerable if any of following:Does not re-verify authorization of actionDefault login/password will authorize actionAction will be authorized based only on credentials which are automatically submitted by the browser such as session cookie, Kerberos token, basic authentication, or SSL certificate etc.

24 A5. Cross Site Request Forgery (CSRF) ProtectionEliminate any Cross Site Scripting vulnerabilitiesNot all CSRF attacks require XSSHowever XSS is a major channel for delivery of CSRF attacksGenerate unique random tokens for each form or URL, which are not automatically transmitted by the browser.Do not allow GET requests for sensitive actions.For sensitive actions, re-authenticate or digitally sign the transaction.

26 Improper Error Handling: ProtectionPrevent display of detailed internal error messages including stack traces, messages with database or table names, protocols, and other error codes. (This can provide attackers clues as to potential flaws.)Good error handling systems should always enforce the security scheme in place while still being able to handle any feasible input.Provide short error messages to the user while logging detailed error information to an internal log file.Diagnostic information is available to site maintainersVague messages indicating an internal failure provided to the usersProvide just enough information to allow what is reported by the user to be able to linked the internal error logs. For example: System Time-stamp, client IP address, and URL

27 Information Leakage - ExampleSensitive information can be leaked very subtletyVery Common Example - Account HarvestingApp. responds differently to a valid user name with an invalid password, then it would to a invalid user nameWeb application discloses which logins are valid vs. which are invalid, and allows accounts to be guessed and harvested.Provides the attacker with an important initial piece of information, which may then be followed with password guessing.Difference in the Web App response may be:Intentional (Easier to for users to tell then the account name is wrong)Different code included in URL, or in a hidden fieldAny minor difference in the HTML is sufficientDifferences in timing are also common and may be used!

28 Information Leakage: ProtectionsEnsure sensitive responses with multiple outcomes return identical resultsSave the the different responses and diff the html, the http headers & URL.Ensure error messages are returned in roughly the same time or consider imposing a random wait time for all transactions to hide this detail from the attacker.

30 Session ManagementHTTP/S protocol does not provide tracking of a users session.Session tracking answers the question:After a user authenticates how does the server associate subsequent requests to the authenticated user?Typically, web application vendors provide a built-in session tracking, which is good if used properly.Often developers will make the mistake of inventing their own session tracking.

31 Session Management (Session IDs)A Session IDUnique to the UserUsed for only one authenticated sessionGenerated by the serverSent to the client asHidden variable,HTTP cookie,URL query string (not a good practice)The user is expected to send back the same ID in the next request.

32 Session Management (Session Hijacking)Session ID is disclosed or is guessed.An attacker using the same session ID has the same privileges as the real user.Especially useful to an attacker if the session is privileged.Allows initial access to the web application to be combined with other attacks.

33 Session Management: ProtectionUse long complex random session ID that cannot be guessed.Protect the transmission and storage of the Session ID to prevent disclosure and hijacking.A URL query string should not be used for Session ID or any User/Session informationURL is stored in browser cacheLogged via Web proxies and stored in the proxy cache

34 Session Management: ProtectionEntire session should be transmitted via HTTPS to prevent disclosure of the session ID. (not just the authentication)Avoid or protect any session information transmitted to/from the client.Session ID should expire and/or time-out on the Server when idle or on logout.Client side cookie expirations useful, but should not be trusted.Consider regenerating a new session upon successful authentication or privilege level change.Example Session ID using cookieSet-Cookie: siteid=91d3dc13713aa579d0f f4; path=/; expires=Wednesday, 22-Oct :12:40 domain=.secureCookie: siteid=91d3dc13713aa579d0f f4

36 Broken Account and Session Management: ProtectionPassword Change Controls - require users to provide both old and new passwordsForgotten Password Controls - if forgotten passwords are ed to users, they should be required to re-authenticate whenever they attempt to change their address.Password Strength - require at least 7 characters, with letters, numbers, and special characters both upper case and lower case.Password Expiration - Users must change passwords every 90 days, and administrators every 30 days.

37 Broken Account and Session Management: ProtectionPassword Storage - never store passwords in plain text. Passwords should always be stored in either hashed (preferred) or encrypted form.Protecting Credentials in Transit - to prevent "man-in-the-middle" attacks the entire authenticated session / transaction should be encrypted SSLv3 or TLSv1Man-in-the-middle attacks - are still possible with SSL if users disable or ignore warnings about invalid SSL certificates.Replay attacks - Transformations such as hashing on the client side provide little protection as the hashed version can simply be intercepted and retransmitted so that the actual plain text password is not needed.Passwords should never be stored in plain text within the application.It’s surprising how many times developers will try put password in code or a configuration file in clear text.Passwords should always be stored in either hashed (preferred) or possible an encrypted form.A secure Hash is preferred (such as MD5 or BlowFish) as it’s not reversible.The problem with using symmetric encryption to store a password is that it requires another password for the encryption. Now how do you hide the password to the password…

39 A8. Insecure Cryptographic StorageThe majority of Web applications in use today need to store sensitive information (passwords, credit card numbers, proprietary information, etc.) in a secure fashion.The use of encryption has become relatively easy for developers to incorporate.Proper utilization of cryptography, however, can remain elusive by developers overestimating the protection provided by encryption, and underestimating the difficulties of proper implementation and protecting the keys.

40 Insecure Cryptographic Storage: Common MistakesImproper/insecure storage of passwords, certifications, and keysPoor choice of algorithmPoor source of randomness for initialization vectorsAttempting to develop a new encryption scheme "in house” (Always a BAD idea)Failure to provide functionality to change encryption keys

43 Insecure CommunicationsFailure to encrypt network traffic leaves the information available to be sniffed from any compromised system/device on the network.Switched networks do not provide adequate protection.

44 Insecure Communications: ProtectionUse SSL/TLS for ALL connections that are authenticated or transmitting sensitive informationUse SSL/TLS for mid-tier and internal network communications between Web Server, Application and database.Configure Desktop Clients and Servers to ensure only SSLv3 and TLSv1 are used with strong ciphers.Use only valid trusted SSL/TLS certificates and train users to expect valid certificates to prevent Man-in-the-Middle attacks.

45 A10. Failure to Restrict URL AccessOWASP Definition:Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.

46 A10. Failure to Restrict URL AccessWhen the application fails to restrict access to administrative URLs, the attacker can access normally unauthorized areas by type in the URL’s into the browser.Surprisingly common, for example:add_account_form.php - checks for admin access before displaying the form.Form then posts to add_acct.php which does the work, but doesn’t check for admin privileges!Consistent URL access control has to be carefully designed.

47 A10. Failure to Restrict URL Access : ProtectionStart Early!Create an application specific security policy during the requirements phase.Document user roles as well as what functions and content each role is authorized to access.Specifying access requirements up front allows simplification of the designIf your access control is not simple it won't be secure.

48 A10. Failure to Restrict URL Access: ProtectionTest Thoroughly!Conduct extensive regression testing to ensure the access control scheme cannot be bypassedTest all invalid access attempts as well as valid access.Don't follow the normal application flow.Verify that all aspects of user management have been taken under consideration including scalability and maintainability.

49 Summary Application Security starts with the Architecture and DesignSecurity can’t be added on later without re-designing and rewritingCustom code often introduces vulnerabilitiesApplication vulnerabilities are NOT prevented by traditional security controls.Don’t invent your own security controlsDesign, Design, Design, code, test, test, test